On 07/19/2017 10:02 AM, James Le Cuirot wrote:
On Thu, 26 Jul 2012 07:19:35 -0700, Arnd Hannemann wrote:
Currently openipmi expects that the privilege level in the
open session response equals the privilege which was requested.
This is wrong, because it is legal to request a lower privilege
level than allowed for a user:
According to IPMI v2.0 spec the RCMP+ Open Session Response
contains the _maximum_ privilege Level allowed for a session.
Furthermore Andy Cress pointed out:
Even if the privilege is detected wrong here, it should not abort, but
proceed.
The bug was found because there seems to be a bug in the HP ILO3 IPMI
implementation where the maximum privilege level returned in the
response is "admin" even if the user is only allowed to login with
privilege "operator".
Both bugs together prevent the ipmilan stonith agent to work with ILO3
and fence with priv="operator".
This patch fixes the behavior of openIPMI and allows the "session
open" response message to contain an different privilege level than
requested. An warning is issued if the privilege level is lower than
requested.
With this patch fencing with "priv=operator" works correctly.
Signed-off-by: Arnd Hannemann <[email protected]>
---
lib/ipmi_lan.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/lib/ipmi_lan.c b/lib/ipmi_lan.c
index c55445e..cc75531 100644
--- a/lib/ipmi_lan.c
+++ b/lib/ipmi_lan.c
@@ -4530,13 +4530,11 @@ got_rmcpp_open_session_rsp(ipmi_con_t *ipmi,
ipmi_msgi_t *rspi)
lan = (lan_data_t *) ipmi->con_data;
privilege = msg->data[2] & 0xf;
- if (privilege != lan->cparm.privilege) {
- ipmi_log(IPMI_LOG_ERR_INFO,
+ if (privilege < lan->cparm.privilege) {
+ ipmi_log(IPMI_LOG_WARNING,
"%sipmi_lan.c(got_rmcpp_open_session_rsp): "
"Expected privilege %d, got %d",
IPMI_CONN_NAME(ipmi), lan->cparm.privilege,
privilege);
- handle_connected(ipmi, EINVAL, addr_num);
- goto out;
}
session_id = ipmi_get_uint32(msg->data+4);
--
1.7.9.5
I was very disappointed to find that this patch was never merged. I had
to build my own RPM for my production Zabbix server, which isn't ideal.
I can confirm that the patch still works against 2.0.23. Could it please
be merged now?
Sorry, I guess I missed that. It's merged now. I think it is really an
error if the firmware
gives you a higher privilege than you ask for, but I'm not sure what you
can do about
it. It's probably just best to ignore it.
-corey
Regards,
James
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openipmi-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openipmi-developer
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openipmi-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openipmi-developer
